HackTool.Win32.Chisel.C

プログラムは、他のマルウェアに作成されるか、悪意あるWebサイトからユーザが誤ってダウンロードすることによりコンピュータに侵入します。

侵入方法

プログラムは、他のマルウェアに作成されるか、悪意あるWebサイトからユーザが誤ってダウンロードすることによりコンピュータに侵入します。

情報漏えい

プログラムは、以下のパラメータを受け取ります。

• server → runs chisel in server mode
• client → runs chisel in client mode

その他

プログラムは、以下を実行します。

• It accepts input in the following format:
  • For "server" → chisel server {optional parameters}
  • For "client" → chisel client {optional parameters} {server} {remote addresses}
• Accepts the following optional parameters if "server" is the command:
  • --host, Defines the HTTP listening host – the network interface (defaults the environment variable HOST and falls back to 0.0.0.0).
  • --port, -p, Defines the HTTP listening port (defaults to the environment variable PORT and fallsback to port 8080).
  • --key, An optional string to seed the generation of a ECDSA public and private key pair. All communications will be secured using this key pair. Share the subsequent fingerprint with clients to enable detection of man-in-the-middle attacks (defaults to the CHISEL_KEY environment variable, otherwise a new key is generate each run).
  • --authfile, An optional path to a users.json file. This file should be an object with users defined like: {"": ["",""]} when connects, their will be verified and then each of the remote addresses will be compared against the list of address regular expressions for a match. Addresses will always come in the form ":" for normal remotes and "R::" for reverse port forwarding remotes. This file will be automatically reloaded on change.
  • --auth, An optional string representing a single user with full access, in the form of . This is equivalent to creating an authfile with {"": [""]}.
  • --proxy, Specifies another HTTP server to proxy requests to when chisel receives a normal HTTP request. Useful for hiding chisel in plain sight.
  • --socks5, Allow clients to access the internal SOCKS5 proxy. See chisel client --help for more information.
  • --reverse, Allow clients to specify reverse port forwarding remotes in addition to normal remotes.
  • --pid Generate pid file in current working directory
  • -v, Enable verbose logging
  • --help, This help text
• Accepts the following optional parameters if "client" is the command:
  • --fingerprint, A *strongly recommended* fingerprint string to perform host-key validation against the server's public key. You may provide just a prefix of the key or the entire string. Fingerprint mismatches will close the connection.
  • --auth, An optional username and password (client authentication) in the form: ":". These credentials are compared to the credentials inside the server's --authfile. defaults to the AUTH environment variable.
  • --keepalive, An optional keepalive interval. Since the underlying transport is HTTP, in many instances we'll be traversing through proxies, often these proxies will close idle connections. You must specify a time with a unit, for example '30s' or '2m'. Defaults to '0s' (disabled).
  • --max-retry-count, Maximum number of times to retry before exiting. Defaults to unlimited.
  • --max-retry-interval, Maximum wait time before retrying after a disconnection. Defaults to 5 minutes.
  • --proxy, An optional HTTP CONNECT or SOCKS5 proxy which will be used to reach the chisel server. Authentication can be specified inside the URL.
  • --header, Set a custom header in the form "HeaderName: HeaderContent". Can be used multiple times. (e.g --header "Foo: Bar" --header "Hello: World")
  • --hostname, Optionally set the 'Host' header (defaults to the host found in the server url).
  • --pid Generate pid file in current working directory
  • -v, Enable verbose logging
  • --help, This help text
• It can be used to bypass through a firewall.